A new malware variant has been detected that is able to listen in on users’ calls, recognize the gender and identity of the callers, and even recognize to some extent what is being said.

Fortunately, the good news is that the malware is part of a white-hat research experiment and poses no risk to smartphone users (at the time).

Researchers from five universities in the United States—Texas A&M University, New Jersey Institute of Technology, Temple University, University of Dayton, and Rutgers University—teamed up to build EarSpy.

Ability to Abuse the Hardware

EarSpy is a side-channel attack that exploits the fact that smartphone speakers, motion sensors, and gyroscopes have improved over the years.

The malware attempts to read data captured by motion sensors as the endpoint’s ear speakers beep during a conversation. In earlier years, this was not a viable attack vector because the speakers and sensors were not as powerful.

To prove their point, the researchers used two smartphones – one from 2016 and one from 2019. The difference in the amount of data collected was quite obvious.

To test whether the data can be used to identify the gender of the caller and recognize speech, the researchers used the OnePlus 7T and OnePlus 9 devices.

Caller gender identification for the former was between 77.7% and 98.7%, while caller identification was between 63.0% and 91.2%. Speech recognition danced between 51.8% and 56.4%.

“Because there are ten different classes, the accuracy is still five times better than a random estimate, meaning that the vibrations caused by the ear speaker produced a reasonable amount of distinguishable impact on the accelerometer data,” the researchers explained in the white paper.

The researchers were also able to guess the gender of the caller quite well on the OnePlus 9 smartphone (88.7% on average), but the identification dropped to 73.6% on average. Speech recognition dropped between 33.3% and 41.6%.